The focus on security has recently seen an explosion (pun intended), mostly due to the use of AI, for good and for bad — the bad due to AI slop.
The Jetty Project takes security reports very seriously: we verify them against Jetty, and if Jetty is found to be vulnerable we produce a new release with a fix and an associated CVE.
HTTP/2 Bomb is a recent report, tracked as CVE-2026-49975.
Unlike other HTTP/2 vulnerabilities that have been discussed and coordinated through VINCE, it has been disclosed unilaterally and has worried some HTTP/2 implementers.
Jetty is not vulnerable to HTTP/2 Bomb.
We have tested Jetty against the exploit script, using multiple combinations of parameters.
In all cases, the connections are closed as soon as the request headers exceed the configured limit, keeping memory usage low.
No further frames from that client are processed, and no unbounded memory is allocated.
The configuration parameter that controls the maximum size of the request headers is HttpConfiguration.requestHeaderSize, which defaults to 8 KiB.
As a side note related to HTTP/2 Bomb: Jetty also protects against slow senders and receivers via the MinimumDataRateHandler (as documented here) that must be configured in the Jetty server setup.
If you find a Jetty vulnerability, please report it responsibly by following these instructions, or send an email to security@jetty.org. No AI slop, please.
0 Comments